Summary4 min read

Cyber Security Headlines – Podcast Summary

Episode: Windows RemoteApp problems, ferry malware arrest, Senator's open-source warning
Host: Steve Prentiss
Date: December 19, 2025

Episode Overview

This episode delivers a rapid roundup of key developments in cybersecurity, including breaking software issues, alarming security breaches in transportation and health care, pressing concerns over open-source software, warnings about new cyber vulnerabilities, and notable threat intelligence findings. For security professionals and interested listeners, it’s a quick but comprehensive scan of today’s cybersecurity landscape.

Key Discussion Points & Insights

1. Windows RemoteApp Connection Failures

[00:07–01:47]

Recent Microsoft updates are causing failures in Windows RemoteApp, especially for enterprise users employing Azure Virtual Desktop.
Issue originated from the November 2025 non-security update and affects Windows 11 (24H2 & 25H2) and Windows Server 2025.
Home and Pro users are not impacted; only enterprise deployments are affected.
No timeline for a permanent fix has been issued.

Quote:
"Remote App enables users to stream individual Windows applications from the cloud without loading an entire virtual desktop, making them run like local and native applications."
— Steve Prentiss, [00:39]

2. Ferry Crew Arrested Over Malware Installation

[01:47–03:04]

Two crew members (Bulgarian and Latvian) on an Italian passenger ferry arrested in France after discovery of malware intended to allow remote control of the vessel.
Bulgarian released; Latvian remains detained, suspected of conspiring to infiltrate systems for a foreign power.
The incident was detected by the shipping company in the port of Cette, southern France.

Quote:
"French authorities have arrested two crew members working on an Italian passenger ferry ... suspected of infecting the ship with malware that could have enabled them to remotely control the vessel."
— Steve Prentiss, [01:49]

3. US Senate Warns of Open-Source Software Risks

[03:04–03:54]

Senate Intelligence Committee Chairman Tom Cotton urges National Cyber Director to address risks of foreign actors contributing to open-source software used in sensitive systems.
Cites recent cases, including compromised beta version of Xcel Utils and a Russia-based sole maintainer for software in Defense Department packages.

Quote:
"Threat actors assume that contributors are benevolent so they can insert malicious code into widely used open source codebases."
— Steve Prentiss summarizing Tom Cotton, [03:24]

4. Chinese Zero-Day Exploit Targets Cisco Email Security

[03:54–04:32]

Chinese threat actors exploiting a zero-day (CVSS 10) in Cisco Secure Email Gateway and Web Manager with Async OS since late November.
Vulnerable if certain ports are exposed to the Internet.
Attribution based on forensic analysis of tools and infrastructure.

Quote:
"Chinese hackers have been exploiting this since late November, the company said on Wednesday."
— Steve Prentiss, [04:12]

5. UK's DXS International Breach – NHS Tech Supplier

[05:15–05:57]

DXS International, serving NHS with decision support and referral management, discloses breach on internal servers (detected December 14).
Clinical services remain operational; unknown if patient data is compromised.
Incident reported to ICO. DXS serves about 10% of NHS referrals in England.

6. DIG AI – Darknet AI Assistant Surge

[05:57–06:32]

Fourth quarter sees rise in DIG AI usage, an uncensored AI tool on Tor providing criminal guidance from explosives to illegal content.
Surge aligns with upcoming Winter Olympics in Milan and FIFA World Cup.

Quote:
"Because DIG AI is hosted on the Tor network, these tools are difficult for law enforcement to find, which has resulted in a significant underground market."
— Steve Prentiss, [06:12]

7. CISA Flags ASUS Live Update Vulnerability

[06:32–07:01]

CISA adds actively exploited ASUS Live Update vulnerability (CVSS 9.3) to KEV catalog.
Compromise introduced via supply chain attack; certain client versions shipped with embedded malicious code.
Flaw enables attackers to perform unintended actions.

8. Password Spraying Attacks on Popular VPN Gateways

[07:01–07:48]

Automated attacks target Palo Alto Networks GlobalProtect and Cisco SSL VPN gateways, leveraging common credentials.
Over 10,000 IPs involved, attacks centered in US, Mexico, Pakistan, mainly from 3xk Germany IP space.
Differentiated from December 12 attack by same actor.
Graynoise identifies traffic and methodology as "reuse of common username and password combinations".

Notable Quotes & Moments

"Remote App enables users to stream individual Windows applications from the cloud..." — [00:39]
"French authorities have arrested two crew members..." — [01:49]
"Threat actors assume that contributors are benevolent..." — [03:24]
"Chinese hackers have been exploiting this since late November..." — [04:12]
"Because DIG AI is hosted on the Tor network, these tools are difficult for law enforcement to find..." — [06:12]
"In this particular attack, the researchers stated that the threat actor reused common username and password combinations." — [07:31]

Important Timestamps

00:07 – Windows RemoteApp failures in Azure Virtual Desktop
01:47 – Italian ferry crew arrested for onboard malware
03:04 – Senate open-source software warning
03:54 – Cisco Email Security Zero-Day exploited by Chinese actors
05:15 – UK’s DXS International breach impacting NHS
05:57 – Surge in DIG AI use on darknet
06:32 – CISA adds ASUS Live Update flaw to KEV catalog
07:01 – Password spraying attacks on major VPN services

Tone & Style

The episode presents information in a succinct, informative, and authoritative manner, keeping language clear and direct. The tone is urgent and focused, matching the seriousness of the news items without leaning into hype or speculation.

Conclusion

This episode offers a fast-paced yet in-depth scan of crucial threats and trends in cybersecurity as of December 19, 2025. Listeners receive actionable information on breaking vulnerabilities, novel attack methods, and shifting regulatory attention—essential intelligence for IT and security professionals.

Loading summary

Transcript4 lines

[00:00]
A
From the CISO series, it's Cybersecurity Headlines.
[00:07]
B
These are the cybersecurity headlines for Friday, December 19, 2025. I'm Steve Prentiss. Recent Windows updates break remote app connections Yesterday we reported on Microsoft's December 2025 security update breaking message queuing on older Windows 10 and server systems. It appears another update related breakage is also occurring. This one, Based on the November 2025 non security update, is triggering remote app connection failures on Windows 1124H2 and 25H2 and Windows Server 2025 Devices in Azure Virtual Desktop environments. Remote App enables users to stream individual Windows applications from the cloud without loading an entire virtual desktop, making them run like local and native applications. Microsoft says this issue does not affect personal devices running Windows Home or Pro editions. Since Azure Virtual Desktop is predominantly deployed in enterprise settings. No timeline for a permanent fix has yet been announced. France arrests threat actors for installing malware on Italian ferry French authorities have arrested two crew members working on an Italian passenger ferry. These crew members are suspected of infecting the ship with malware that could have enabled them to remotely control the vessel. One of the pair, a Bulgarian national, has been released without charge, while the other, a Latvian suspect who recently joined the crew of the Italian owned ferry, remains detained and faces charges of conspiring to infiltrate computer systems on behalf of a foreign power. This after a remote access tool was discovered by the shipping company itself while the ship was docked at the Mediterranean port of Cette, which is located in southern France. Senate intel chair urges safeguard against open source software threats Tom Cotton, the Senate Intelligence Committee chairman, is asking National Cyber Director Sean Cairncross to take steps to counter the risks of foreign adversaries playing too heavy a role in open source software, describing the environment as one in which threat actors assume that contributors are benevolent so they can insert malicious code into widely used open source codebases. As some examples, Cotten mentioned a beta version of the compression utility Xcel Utils, as well as a Russia based developer that is the sole maintainer of some open source software that exist inside Defense Department software packages. Chinese attackers exploit Zero Day to target Cisco email security products. This exploit has a CVE number and a maximum severity score of 10, and affects appliances with certain ports open to the Internet that are running the company's Async OS software for its Secure Email Gateway and Secure Email and Web Manager. Chinese hackers have been exploiting this since late November, the company said on Wednesday. The attribution to a Chinese threat group is based on the assessment of the tools and infrastructure used during the attacks. Huge thanks to our sponsor, Adaptive Security. This episode is brought to you by Adaptive Security, the first cybersecurity company backed by OpenAI. Security training fails when it's generic. Adaptive's platform personalizes training and runs deep fake simulations across email, sms, voice and video. And with Adaptive's AI content creator, you can drop in a breaking threat or compliance doc and instantly turn it into interactive, interactive, multilingual training. No designers, no delays. Learn more@adaptivesecurity.com that is adaptive security as one word.com Hackers breach Britain's health service tech provider DXS International, a UK technology company whose software is widely used by the country's national health Service, has disclosed a cybersecurity incident involving unauthorized access to internal office servers. This was detected on December 14. The company said the breach was contained and that clinical services remained fully operational. It is not yet known whether NHS patient data was affected, though the incident has been reported to the Information Commissioner's Office. DXS is working with NHS cybersecurity teams and external specialists to investigate. The company does not expect a material financial impact. Its software supports clinical decision making and referral management for GP general practitioner practices and and handles around 10% of NHS referrals in England. Soaring increase in the use of digai, the uncensored Darknet AI assistant A report from RE Security shows a fourth quarter surge in the criminal use of DIG AI, a tool that enables malicious actors to leverage the power of AI to generate tips ranging from explosive device manufacturing to illegal content creation. Because DIG AI is hosted on the Tor network, these tools are difficult for law enforcement to find, which has resulted in a significant underground market. The recent surge in use can be attributed to the activities related to the holiday season as well as the Winter 2026 Olympics in Milan and the FIFA World Cup. CISA warns of critical and exploited ASUS Live Update floor this flaw has been added to CISA's kev catalog after evidence of active exploitation emerged. The vulnerability, which has a CVSS score of 9.3, has been described as an embedded malicious code vulnerability introduced by means of a supply chain compromise that could allow attackers to perform unintended actions. According to a description of the flaw published in CVE.org, certain versions of the ASUS Live Update client were distributed with unauthorized modifications introduced through a supply chain compromise. New password spraying attacks target Cisco and Palo Alto networks VPN gateways an automated campaign is targeting multiple VPN platforms with credential based attacks being observed on Palo Alto Network's Global Protect and Cisco SSL vpn. This is according to a report from Graynoise. The attacks originated from more than 10,000 unique IP addresses and were aimed at infrastructure located in the United States, Mexico and Pakistan. The malicious traffic originated once again from the 3xk Germany IP space, indicating a centralized cloud infrastructure. This attack is different from the one that occurred on December 12, also originating from 3xk, which in that case also impacted Cisco SSL VPN endpoints. In this particular attack, the researchers stated that the threat actor reused common username and password combinations. End quote make sure you have your calendar set to join us for the Department of no this Monday at 4pm we kick off each week by sitting down with two cybersecurity leaders and finding out what news matters to their teams and how they are using it in their security programs. If you have ever brought a piece of news that you have heard on cybersecurity headlines to your standup, then you need to join us every Monday at 4:00pm Eastern on the CISO Series YouTube channel. And if you have some thoughts on the news from today or about the show in general, please be sure to reach out to us@feedbackisoseries.com we would love to hear from you. I'm Steve Prentiss reporting for the CISO series.
[08:18]
A
Cybersecurity headlines are available every weekday. Head to CISO series.com for the full stories behind the headlines.
[08:30]
B
It.